Borg Backup Server

Patch release focused on the long-running ClickHouse log noise saga and a handful of contributor-reported bugs.

ClickHouse log noise — root-cause fix

The Poco file logger in recent ClickHouse versions has a rotation bug where RotateBySizeStrategy::mustRotate throws on every log call once the rotation state goes bad. Each throw emits a stack trace that itself fails to log, amplifying a single warning into tens of thousands of lines. Two previous patches (v2.52.2's cron-based truncation, v2.53.2's switch to foreground launch) bounded the visible damage but left the underlying loop intact — output was just moving from stderr.log inside the container to Docker's JSON log on the host (#280).

This release removes the file logger from our ClickHouse override entirely. The override now uses <console>1</console> with <log remove="remove"/> and <errorlog remove="remove"/> so ClickHouse's merged config has no file destinations at all. With no file to fail to rotate, the feedback loop can't form. Internal warnings go to stdout/stderr — captured by Docker's log driver on Docker, by journald on bare metal. Both handle rotation properly. (#266, #280)

For bare-metal users: bbs-update now restarts ClickHouse when our override file changes during an update, so the new config actually takes effect instead of sitting on disk waiting for a manual restart or reboot (#278). Pre-existing system_log tables created by older ClickHouse versions are also dropped on update (matching what the Docker entrypoint already did), so the override's remove="remove" directives have nothing left to keep around.

For Docker users: the shipped docker-compose.yml now caps log driver size at max-size=10m max-file=3. If you're running docker run directly, pass --log-opt max-size=10m --log-opt max-file=3 for the equivalent. The wiki's Docker Installation page has been updated with details.

Net result on a long-running install: ClickHouse CPU dropped from ~36% to ~20% after the restart, log files frozen at their previous size and not growing, catalog ingest and search work normally against a 1.19-billion-row catalog.

Other fixes

• OIDC user provisioning now reads preferred_username and name from the verified ID token, falling back to the userinfo endpoint only if those claims aren't in the token. Several common OIDC providers (Keycloak with default mappers, Authentik, Microsoft Entra) put profile claims in the ID token rather than the userinfo response, which used to leave new SSO users with generic user_N names. New users provisioned after the upgrade get their actual username from the provider. Existing user_N accounts can be renamed manually from the user-edit page. (#277)
• Shell hook "Expose repository passphrase" checkbox is now actually rendered in the plugin create and edit forms. The feature shipped functionally in v2.53.0 but the UI form for shell_hook was hardcoded and didn't include the new field, making it unreachable from the dashboard. (#276)
• S3 sync now works for repos in any registered storage location, not just paths under /var/bbs/. The two rclone actions in bbs-ssh-helper were the last operations still using a hardcoded path check instead of the shared allow-list every other privileged action calls. Installs using /opt/bbs, /mnt/..., or any other path registered in /etc/bbs/allowed-storage-paths can now S3 sync and restore. (#270)

Notes

• Agent and server versions remain synchronized at 2.53.3.
• Docker image rebuilds automatically via GitHub Actions.
• No database migrations.